Once your copy of Sicura Agent has been installed certain options can be set inside the sicura-agent.yaml file.
NOTE: This file is not generated during install time and requires you run the sicura-agent at least once to be generated.
The config file can be found here:
Linux: /etc/sicura/sicura-agent.yaml
Windows: C:\Program Files\Sicura\Sicura Agent\sicura-agent.yaml
The Sicura Agent config file has four sections. Each section has a set of options which, by default, are disabled (commented out). To enable an option, remove the comment #
and enter in the relavent information for that option.
NOTE: Options within this section control the agent’s functionality system-wide.
log-level
By selecting log-level
you will be able to control what information is output by the agent to stdout
and stderr
. The levels can be lowered or raised seven values for troubleshooting: trace
, debug
, info
, warn
, error
, fatal
, and panic
. The default is info
.
log-to-file
This true/false option allows you to choose if you want output from the scanner to go to a file in addition to the terminal’s stdout/stderr. This is ideal for archiving situations.
The default destination for this file is STATE_DIRECTORY/sicura-agent.log
log-dest
This is a custom-defined path where the log file will be saved. This will allow you to override the default log location.
force-scan
The Sicura Agent will error and fail when trying to pull Sicura_Default_Content***
from the console if you are using an unsupported platform. If force_scan
is set to true, this error will become a warning and continue running.
NOTE: Use this option at your own risk! Using an unsupported platform may cause undesired results for both the agent and the console.
collector-request-interval
When using sicura-agent run
or running the Sicura Agent as a service, the process will occasionally reconnect to its collector(s). The collector-request-interval
option allows you to adjust the wait period between connections. The default is set to 30 seconds.
ignore-platform-mismatch
In some cases when doing CIS scans, a result-set may come back with all ‘Not Applicable’. If this is the case, this option can be set true to attempt a CPE agnostic scan.
Defines the information needed for the Agent to make a connection to connect to the Sicura Console.
collector-https
(true) whether a secure protocol should be used when accessing the console collector.
collector
The hostname that connections should be made to. Overrides the default of the sicura-console-collector
well known DNS entry.
collector-port
(6468) The port on which the Sicura Console is running and accepting connections.
Any output from the Agent is considered a “Report”. By default, reports are sent to the Sicura Console collector for further evaluation and displayed in the Console UI. If desired, they can be kept on the local system.
save-reports
This true/false setting will allow you to save the reports for each job. If true, reports save to STATE_DIRECTORY/reports
by default.
report-path
Allows you to override the default path for reports.
This section outlines the various collectors registered to the Sicura Agent. Collectors are defined in a list within the file and each collector has its own set of sub-options. These sub-options are collector
, url
, registration_token
, abilities
, and node-name
.
Collector entries can be added manually or automatically appended using the sicura-agent register
command.
An example collector configuration could look like this:
default:
url: https://my-sicura-console:6468/collector/default
registration_token: XXXXXXXXXXXXXXXXXXXXXXX
abilities:
- ABILITY_TYPE-1
- ABILITY_TYPE-2
node-name: ""
Currently, all collectors use the name default, therefore expect each collector registered to start with ‘default’ before defining their own options.
The types of abilities supported are:
openscap
ciscat
jscat
compliance-engine
bolt
When sicura-agent
executes a command, it runs it against every collector defined. For example, if you have three registered collectors, sicura-agent fetch
will call out to each of them to fetch content.
url
defines the location the collector needs to talk to. This URL can be copied directly from the Client Installation page on your Sicura Consoleregistration_token
this token allows your agent to securely communicate with the console during initial registration. Once registered, it’ll use the login token recieved which is stored in your STATE_DIRECTORY/state.json
file.abilities
defines a list of one or more ability types to be used for scanning/enforcement each time a job is performed.node-name
assigns a name to your node during initial registration to the Console. This option can be left blank and your FQDN will be used instead.The following options allow for configuration specific to the ability type in use (OpenSCAP/CIS-CAT/jScat/etc)
Note: Use these options as a catch-all in case no other options are specified elsewhere (best used with the “Scan Now” button)
default.profile
Predefines a profile to be used for scanning any time a scan is performed.default.filename
Predefines a benchmark to be used for scanning any time a scan is performed.default.ability-type
Predefines a default ability type to use in case of multiple abilities possibleciscat.install-path
Points to the location of your Assessor-CLI.jar
file. This option is required if you’d like to do CIS scanning.ciscat.profile
Predefines a profile to be used for scanning any time a scan is performed.ciscat.content_directory
Adds this directory to the lookup for benchmarks to be used for CIS scanning. This affects the sicura-agent list
command as well as the interactive benchmark options returned when a scan is run with no benchmark defined.ciscat.filename
Predefines a benchmark to be used for scanning any time a scan is performed.openscap.profile
Predefines a profile to be used for scanning any time a scan is performed.openscap.content_directory
Adds this directory to the lookup for benchmarks to be used for Linux STIG scanning. This affects the sicura-agent list
command as well as the interactive benchmark options returned when a scan is run with no benchmark defined.openscap.filename
Predefines a benchmark to be used for scanning any time a scan is performed.jscat.install-path
If you wish to override the path for which jScat is loaded this option allows you to specify the path. Sicura Agent comes with jScat pre-packaged so this option is not needed.jscat.profile
Predefines a profile to be used for scanning any time a scan is performed.jscat.content_directory
Adds this directory to the lookup for benchmarks to be used for Windows STIG scanning. This affects the sicura-agent list
command as well as the interactive benchmark options returned when a scan is run with no benchmark defined.jscat.filename
Predefines a benchmark to be used for scanning any time a scan is performed.